Tag Archives: Mr Shulman

ICO scrutinises FIFA over ticket data loss incident

Football’s international governing body FIFA is coming under investigation from the Information Commissioner’s Office (ICO), as a result of recent claims that it lost personal information relating to many people who bought tickets for the 2006 World Cup.

Recent reports suggest that a member of FIFA staff illicitly accessed vast amounts of data and then sold the valuable information on to unknown buyers. Of the possible 35,000 people that are claimed to have been affected by this incident, many will have had their passport details exposed, according to current allegations.

The ICO has refuted the claims that many tens of thousands of people have been affected and it told Computer Weekly that the figure was closer to 7000, although even this is still a significant number. It did confirm that passport details, names and birth dates were amongst the stolen data.

Security expert Amichai Shulman, said that FIFA’s data handling policies would be brought into disrepute,if this incident was as serious as it seems to be from initial suggestions.

Mr Shulman said that this was symptomatic of the current data protection culture, which points all the defences outwards and ignores the risks from within.

Mr Shulman argues that FIFA should have made it difficult for employees to access data relating to fans, or at least monitored who was accessing this type of information, to quickly plug any leaks that occur or to deter potential defectors from stealing data in this callous manner.

It has been made clear that no hack was involved in this security breach and that the employee simply abused privileged access to data for personal gain at the expense of the integrity of the organisation as a whole.

Observers have been seriously concerned by the fact that FIFA held onto data four years after the World Cup in question had concluded, because it implies FIFA is failing at a very basic level to protect and manage the data for which it is responsible.

Many hope that businesses and organisations will take FIFA’s data loss slip up as another example of how improper controls and data handling policies can leave customers exposed and a company’s reputation sullied.

Cybercriminals harness cloud techniques for phishing attacks

A sophisticated toolkit that enables the automatic generation of phishing attacks has been built to take advantage of cloud computing in a way not seen before.

The kit not only damages businesses and individuals by stealing private data, but it also pulls information right back to the two hackers who wrote the malicious software, bypassing any hackers who distribute the software, effectively using them as unaware middlemen, who cannot necessarily benefit from the phishing attacks.

The malicious genius of the software is that its creators can sit back and watch the stolen data pour in without having to run their own phishing attacks, as hackers from around the world who have begun sharing the kit, once it was distributed via a notorious forums, will be doing all of the work for them.

Security vendor Imperva says that over 200,000 copies of the software have already been downloaded and although the small phishing sites which take advantage of it will be shut down after harvesting information from a few hundred unsuspecting users, the reach could extend much further.

By basing the power of the phishing kit in cloud computing the hackers have created a data theft network that will be almost impossible to eradicate, because there is no central server controlling the whole show. Instead thousands of individual hackers are all exploiting one another and constantly feeding data to the original creators, according to Imperva’s Amichai Shulman.

Authorities will be able to target individual phishing campaigns based on the new toolkit, but the eradication of a single campaign will not impact upon the dozens of others that are still up and running and so it could be the case that a running battle is fought well into the future, according to Mr Shulman.

Basing a phishing toolkit on the cloud computing model is certainly sensible from the twisted point of view of the hackers and ideally it will continue to generate new campaigns and harvest data for its creators. This could signal the dawn of a new era in the fight for data security.

Data loss mounts as prophylactics + student loans firms are attacked

The last week has been rife with new stories of high profile data loss. The Barnet Council incident has induced fervour in the UK and in the US it has been revealed that 3.3 million students have been affected after a firm providing loans to students lost detailed personal information.

Federal student loans are handled by the Education Credit Management Corporation (ECMC) in the US and millions of its users have been exposed after data was stolen from its Minnesota headquarters last week.

As well as the names and addresses of the affected students, the thieves have been able to get hold of Social Security numbers and birth dates. The ECMC has confirmed that although the loss is significant, no bank details were leaked.

The investigation into the loss at the ECMC is ongoing and, as such, the media has been unable to obtain precise details about the incident. It is understood that at this time there is no indication that the data has been used inappropriately by any third parties.

In other data loss news, it emerged this week that the parent company that owns the Durex brand was unaware that one of its subsidiary’s websites was entirely unsecured, allowing anyone to access the personal information of its users without logging in.

The kohinoorpassion.com customer site contains the orders and personal information of thousands of customers and its owner TTK-LIG was only notified as to the serious security loophole after an inquisitive customer found out almost by accident.

The customer revealed that simply by entering a different order number into the site’s URL, it was possible to bypass login altogether, instantly giving anyone access to the affected customer’s order history, home address and other private information.

Security expert Amichai Shulman commented that he was amazed by the general complacency with which some businesses approach data protection. Mr Shulman pointed out that the increasing sophistication of hackers was not being adequately countered by firms and that basic security measures needed to be tightened across the board.

PCI DSS standards supported after criticism

After an SME representative spoke out early last week against the enforcement of PCI DSS regulatory measures, saying that they would damage small businesses, security experts have come out to defend the data security standards, although the issue is clearly complex.

Data security expert Jan Fry explained in an interview with SC Magazine that there was growing animosity between credit card companies and smaller businesses, but also said that this mistrust of the security standards came from a lack of comprehension of the terms and implications of the PCI DSS.

Mr Fry said that it was acknowledged by those within the industry that the current standards were not universal in their appropriateness, but that fighting against security standards that are ultimately put in place to protect the consumer could be more damaging to businesses than complying with regulations.

In fact experts were keen to explore the PCI DSS in a way that showed off its flexibility and scalability, with Mr Fry saying that most businesses accept the necessity for adherence because in most cases the benefits outweigh the pitfalls. He also said that there was no reason for small businesses to fear that they would be ‘exterminated’ as a result of non-compliance and derided the partisan attitude taken by a number of PCI DSS’ detractors.

It is accepted that most small businesses are looking to take on the PCI DSS with as little financial impact as possible and in a recent study by Ponemon and Imperva it was discovered that many believed that compliance was an intrinsically expensive procedure, which discouraged business owners from even attempting to follow the guidelines.

Imperva’s Amichai Shulman said that small businesses should consider the PCI DSS as a way of mitigating the risks of security breaches and data loss. He cited a recent hack suffered by an online store which originated from a single insecure application that failed to meet industry standards, making it easy for cybercriminals to steal the payment card details of the site’s customers.

However, Mr Shulman added that credit card companies needed to work with small businesses closely in order to ensure a wider level of acceptance and ultimately better data security for all.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal